Create
cancel
Showing results for 
Search instead for 
Did you mean: 
Sign up Log in

Next challenges

Recent achievements

  • Global
  • Personal

Recognition

  • Give kudos
  • Received
  • Given

Leaderboard

  • Global

Trophy case

Kudos (beta program)

Kudos logo

You've been invited into the Kudos (beta program) private group. Chat with others in the program, or give feedback to Atlassian.

View group

It's not the same without you

Join the community to find out what other Atlassian users are discussing, debating and creating.

Atlassian Community Hero Image Collage

Security Log For Confluence - Match Username to IP Address

I need to identify the IP addresses that users are accessing my Confluence server from so that I can correctly filter them out in Apache.

JIRA already has an excellent log file which I can use for this (atlassian-jira-security.log) as detailed in 

https://confluence.atlassian.com/adminjiraserver073/logging-and-profiling-861253813.html

  • Security-related information (e.g. login, logout, session creation/destruction, security denials) is written to atlassian-jira-security.log.

e.g.

2018-07-20 09:36:11,161 http-nio-8080-exec-149 url:/rest/dev-status/1.0/issue/summary joebloggs 576x346142x1 - 10.12.22.124,221.250.140.12 /rest/dev-status/1.0/issue/summary The user 'joebloggs' has PASSED authentication.

However this log file doesn't exist for Confluence and I can't seem to find a way to generate this information. Ideally I'd like a log entry for when a user passes authentication which includes the IP address they accessed Confluence from.

Is there a way to create this information in my logs on Confluence?

2 answers

2 accepted

1 vote
Answer accepted
Zak Laughton Atlassian Team Aug 06, 2018

Hi Dalectric,

You can log user access along with their IP address by enabling User Access Logging in Confluence. See How to Enable User Access Logging.

-Zak

Thanks, I can see I can get close to what I require, but I can't seem to return the IP address, With the default values I get

2018-08-07 10:00:15,845 INFO [localhost-startStop-1] [atlassian.confluence.util.AccessLogFilter] init AccessLogFilter initialized. Format is: <user> <url> <starting memory free (kb)> +- <difference in free mem (kb)> <query time (ms)> <remote address>
2018-08-07 10:00:25,462 INFO [http-nio-8090-exec-3] [atlassian.confluence.util.AccessLogFilter] doFilter - GET https://ukcov-con/pages/viewpage.action 7702577-374790 1084 0:0:0:0:0:0:0:1
2018-08-07 10:00:30,744 INFO [http-nio-8090-exec-11] [atlassian.confluence.util.AccessLogFilter] doFilter - GET https://ukcov-con/login.action 7161220-397312 4636 0:0:0:0:0:0:0:1
2018-08-07 10:00:34,308 INFO [http-nio-8090-exec-8] [atlassian.confluence.util.AccessLogFilter] doFilter - POST https://ukcov-con/dologin.action 6568665-32595 807 0:0:0:0:0:0:0:1
2018-08-07 10:00:49,609 INFO [http-nio-8090-exec-4] [atlassian.confluence.util.AccessLogFilter] doFilter joebloggs GET https://ukcov-con/pages/viewpage.action 6536070+1184355 15273 0:0:0:0:0:0:0:1

Looking at the JIRA setting I see it has a specific API for handling this in 

https://docs.atlassian.com/DAC/javadoc/jira/reference/com/atlassian/jira/util/log/Log4jKit.html

And you can see this in the log file setup on JIRA

log4j.appender.securitylog.layout.ConversionPattern=%d %t %X{jira.username} %X{jira.request.id} %X{jira.request.assession.id} %X{jira.request.ipaddr} %X{jira.request.url} %m%n

There doesn't appear to be the same API for Confluence so how can I add the IP address to the output log file for Confluence?

(I'm plugging away at this so if I find a way I'll post up the answer)

Looking at the this some more it seems that my remote address is coming through as IPv6 (0:0:0:0:0:0:0:1) and not IPv4 shown in the example (127.0.0.1). Any ideas why this would be?

Adding the following line to my Java options forced it to IPv4 format

-Djava.net.preferIPv4Stack=true

However the IP address is always the Confluence server address. Possibly due to the Apache reverse proxy that's in place. Further investigation ongoing. 

An alternative is to add the following to the server.xml before the </Engine> tag, and it does what I need, but it generates a lot of entries as each element from a page creates a log entry. That means the files will grow to a very large size very quickly. 

 <Valve className="org.apache.catalina.valves.AccessLogValve" directory="logs" prefix="conf_access_log" 
fileDateFormat="-yyyyMMdd" suffix=".log"
pattern="%t %a %l %{X-Forwarded-For}i %{X-AUSERNAME}o &quot;%{Referer}i&quot; &quot;%r&quot; %b"
resolveHosts="false"/>
1 vote
Answer accepted

OK I've cracked it. This is all the things I needed to do.

Add the following to server.xml before </Engine> where the IP address is that of my server (logs the client's IP address instead of the Apache reverse proxy address)

 <Valve
className="org.apache.catalina.valves.RemoteIpValve"
internalProxies="192\.168\.10\.123"
remoteIpHeader="x-forwarded-for"
proxiesHeader="x-forwarded-by"
protocolHeader="x-forwarded-proto"
/>

 In WEB-INF web.xml uncommented the following entry

 <filter-mapping>
<filter-name>AccessLogFilter</filter-name>
<url-pattern>/display/*</url-pattern>
</filter-mapping>

 In WEB-INF/classes log4j.properties uncomment and modify

log4j.category.com.atlassian.confluence.util.AccessLogFilter=INFO, accesslog
log4j.additivity.com.atlassian.confluence.util.AccessLogFilter=false

and added the following near the start of the file under the other appender declarations. The ConversionPattern is customised for my needs from the standard declaration.

log4j.appender.accesslog=org.apache.log4j.RollingFileAppender
log4j.appender.accesslog.Threshold=DEBUG
log4j.appender.accesslog.File=${catalina.home}/logs/atlassian-confluence-access.log
log4j.appender.accesslog.MaxFileSize=20480KB
log4j.appender.accesslog.MaxBackupIndex=5
log4j.appender.accesslog.layout=com.atlassian.confluence.util.PatternLayoutWithStackTrace
log4j.appender.accesslog.layout.ConversionPattern=%d %p [%t] %m%n

In the Windows service added the following line (forces IPv4 address as I was getting 0:0:0:0:0:0:1 IPv6 address)

-Djava.net.preferIPv4Stack=true

And now I have a new log file which gives date and time of access along with the username and client IP address

2018-08-15 11:11:23,020 INFO [http-nio-8090-exec-4] joebloggs GET https://con-testsvr/display/CT/task+list 5837972-291988 2587 192.100.22.102

 Thanks to @Zak Laughton for pointing me in the right direction

Changing the url-pattern to only record the index.action which happens after a user logs in has reduced the size of the log file

<filter-mapping>
<filter-name>AccessLogFilter</filter-name>
<url-pattern>/index.action</url-pattern>
</filter-mapping>

Suggest an answer

Log in or Sign up to answer
TAGS
Community showcase
Posted in Confluence

What do you think is the most *delightful* Confluence feature? Comment for a prize!

- Create your own custom emoji 🔥 - "Shake for Feedback" on mobile 📱 - An endless supply of GIFs via GIPHY 🤩 Is there anything quite as nice as a pleasant surprise? Comment below with what...

415 views 23 8
Join discussion

Community Events

Connect with like-minded Atlassian users at free events near you!

Find an event

Connect with like-minded Atlassian users at free events near you!

Unfortunately there are no Community Events near you at the moment.

Host an event

You're one step closer to meeting fellow Atlassian users at your local event. Learn more about Community Events

Events near you